Evidence: Collect File System (FS) Events
Description: Collect File System Events
Category: DiskFilesystem
Platform: macos
Short Name: fsevnts
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
FSEvents maintains a journal of file system changes. This data is essential for reconstructing file activity timelines and detecting suspicious modifications.
Data Collected
This collector gathers structured data about collect file system (fs) events.
Collection Method
This collector copies entries from /System/Volumes/Data/.fseventsd/ into the case content for offline analysis.
Forensic Value
This evidence is crucial for forensic investigations as it reveals file creations, deletions, and renames even when file metadata is missing.
